A Take on Toorcon 13
As the security conference season winds down for the year, I have become increasingly impressed with Toorcon. Never mind the fact that both my colleague Jacob Ansari and I both spoke this year; the conference itself is probably one of the best bang-for-the-buck conferences available right now.
As always, the first day (Friday - I am glossing over the hands-on workshop prior to this) is seminars. Seminars are 70-minute slots that really have more of a "business conference" feel to them and are intended to provide at least some degree of training. Everything from compliance to exploitation is discussed in these events. This year, two presentations in particular caught my interest.
The first was from Chris Elisan and covered the much-ballyhooed Advanced Persistent Threat (APT). Typically, such a presentation makes me a bit suspect, as APT has been glommed on to as a great MBM - Management By Magazine - term. I don't find many people who can define it particularly well. Chris did a great job explaining the components of an APT, how they fit together, and talked about some of the "solutions" for those people who don't want to pay the big bucks to sign up with your local crime syndicate.
The other was from two guys whose business, at least in part, is built around social engineering your way out of PCI hell. As PCI QSAs, both Jacob and I were interested in this, and a fair amount of it made us laugh (or cringe). A lot of the comments made throughout I could definitely see working on lesser-experienced or corner-cutting assessors, but I like to think I'd be wise to them. :) That said, there were a few "wow" moments people may not have considered - for example, make sure you double-check that those badge-access locks on the doors actually WORK.
Of course, Jacob's talk on transparent data encryption was excellent, and was very well received, too. I always think the mark of a good presentation is the amount of thought-provoking questions asked afterward, and Jacob's presentation did not disappoint!
The remainder of the conference was more typical. Saturday was comprised of 50-minute presentations, and covered a variety of topics. The EFF brought a lawyer (Hanni Fakhoury) on stage to talk about digital evidence and the frightening interpretation of certain laws, and what impact it has on even we law-abiding citizens.
Dan Kaminsky, as only he can do, had a free-form discussion around the current state of the information security industry that began with a great story about the pain of wire transferring a few hundred dollars to a friend in need. The discussion evolved into a central theme: challenge existing theories about what makes for good information security policy and what works to secure our systems. According to Kaminsky, those of us with a stake in making things better need to keep at it and actually develop REAL solutions for protecting our data, yet still make things usable, since there should be no reason for it to take three hours to wire a small sum of money to another party. The solutions our industry has come up with - better passwords, development methodologies and education - have been insufficient thus far.
Another presentation went into the speed that .NET applications can be hacked, and that really there is not a ton we can do about it. It's not a new problem to be sure, but some of the tools available to do this now make it far more accessible. Oh, and for the record, obfuscation isn't going to help. Obfuscation may make a company feel better as far as protecting their intellectual property, but obfuscation techniques are nothing more than minor speed bumps to reverse engineering and modifying code.
On Sunday, the standout talk (aside from mine on fgdump3!) was the opener: "In a Gadda da Vida". Not knowing much about the presentation prior, expectations were a bit low, but Josh absolutely blew the doors off of the place and showed how Shodan and some basics can be used to gain terrifying access to CDMA-enabled devices. SCADA, "Amber Alert" signs, CDMA-to-phone/IP devices, none escaped the analysis, and it was absolutely amazing. Now, I'm not quite as brave as Josh (I wonder if anyone interesting will pay him a visit), but it got me really excited about old-school hacking techniques again. It's just a shame they still work.
I'm looking at alternatives to Defcon after next year, as I feel the conference has simply become too unwieldy to have really personal and direct conversations with one's peers. Toorcon is at the top of my list right now, and I'm hearing more and more of that from people. It's definitely one I would strongly recommend - not to mention, San Diego is quite wonderful in October. :)